Adversaries may leverage spoolsv.exe to execute arbitrary code via a crafted print job, exploiting CVE-2021-1675 to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of this known vulnerability.
KQL Query
// Look for file load events for spoolsv
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where FolderPath has @"spool\drivers"
| extend LoadFileTime = Timestamp
| distinct DeviceId, LoadFileTime, FileName, SHA256
// Join process data associated with spoolsv launching suspicious processes after image load
| join DeviceProcessEvents on $left.DeviceId == $right.DeviceId
| where Timestamp > ago(7d)
| where Timestamp < LoadFileTime +5m
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where ProcessIntegrityLevel =~ 'SYSTEM'
| where (FileName1 in~("gpupdate.exe", "whoami.exe", "nltest.exe", "taskkill.exe",
"wmic.exe", "taskmgr.exe", "sc.exe", "findstr.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "accesschk.exe",
"wevtutil.exe", "bcdedit.exe", "fsutil.exe", "cipher.exe", "schtasks.exe", "write.exe", "wuauclt.exe") or
// Processes with specific FPs removed
(FileName1 =~ "net.exe" and ProcessCommandLine !has "start") or
(FileName1 =~ "cmd.exe" and not(ProcessCommandLine has_any(".spl", "route add", "program files"))) or
(FileName1 =~ "netsh.exe" and not(ProcessCommandLine has_any("add portopening", "rule name")))) or
(FileName1 =~ "powershell.exe" and ProcessCommandLine!has ".spl") or
(FileName1 =~ "rundll32.exe" and ProcessCommandLine != "" and ProcessCommandLine !contains " ")
id: ece67992-9699-44f5-a5c5-f7e5c2d1d5d4
name: Suspicious Spoolsv Child Process
description: |
Surfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceImageLoadEvents
- DeviceProcessEvents
tactics:
- Privilege escalation
- Exploit
query: |
// Look for file load events for spoolsv
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where FolderPath has @"spool\drivers"
| extend LoadFileTime = Timestamp
| distinct DeviceId, LoadFileTime, FileName, SHA256
// Join process data associated with spoolsv launching suspicious processes after image load
| join DeviceProcessEvents on $left.DeviceId == $right.DeviceId
| where Timestamp > ago(7d)
| where Timestamp < LoadFileTime +5m
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where ProcessIntegrityLevel =~ 'SYSTEM'
| where (FileName1 in~("gpupdate.exe", "whoami.exe", "nltest.exe", "taskkill.exe",
"wmic.exe", "taskmgr.exe", "sc.exe", "findstr.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "accesschk.exe",
"wevtutil.exe", "bcdedit.exe", "fsutil.exe", "cipher.exe", "schtasks.exe", "write.exe", "wuauclt.exe") or
// Processes with specific FPs removed
(FileName1 =~ "net.exe" and ProcessCommandLine !has "start") or
(FileName1 =~ "cmd.exe" and not(ProcessCommandLine has_any(".spl", "route add", "program files"))) or
(FileName1 =~ "netsh.exe" and not(ProcessCommandLine has_any("add portopening", "rule name")))) or
(FileName1 =~ "powershell.exe" and ProcessCommandLine!has ".spl") or
(FileName1 =~ "rundll32.exe" and ProcessCommandLine != "" and ProcessCommandLine !contains " ")
| Sentinel Table | Notes |
|---|---|
DeviceImageLoadEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Print Spooler to manage print jobs, and spoolsv.exe is spawning child processes as part of normal print queue management.
Filter/Exclusion: Exclude processes with parent process spoolsv.exe and child process names like print.exe, mspaint.exe, or notepad.exe when originating from known print-related paths (e.g., C:\Windows\System32\spool\).
Scenario: A scheduled task is configured to run a legitimate script or application that temporarily spawns a child process under spoolsv.exe as part of a system maintenance routine.
Filter/Exclusion: Exclude processes where the parent is spoolsv.exe and the child process is associated with a known scheduled task (e.g., Task Scheduler or schtasks.exe).
Scenario: A third-party application (e.g., Adobe Acrobat or Microsoft Office) uses the Print Spooler API to generate temporary files or process print jobs, which may cause spoolsv.exe to spawn child processes.
Filter/Exclusion: Exclude processes where the child process is associated with known applications like AcroRd32.exe, WinWord.exe, or Excel.exe and the parent is spoolsv.exe.
Scenario: A remote desktop session or terminal services environment may cause spoolsv.exe to spawn child processes when users print from remote sessions.
Filter/Exclusion: Exclude processes where the parent is spoolsv.exe and the child process is associated with RDP or terminal services (e.g., mstsc.exe, tsclient.exe, or tscon.exe).
Scenario: A system update or patching tool (e.g., **Windows